db5969
From d279db85dbf455a6cbdacc48cbbc2081a9be5252 Mon Sep 17 00:00:00 2001
db5969
From: Jan Cholasta <jcholast@redhat.com>
db5969
Date: Mon, 23 May 2016 16:18:02 +0200
db5969
Subject: [PATCH] replica install: do not set CA renewal master flag
db5969
db5969
The CA renewal master flag was uncoditionally set on every replica during
db5969
replica install. This causes the Dogtag certificates initially shared
db5969
among all replicas to differ after renewal.
db5969
db5969
Do not set the CA renewal master flag in replica install anymore. On
db5969
upgrade, remove the flag from all but one IPA masters.
db5969
db5969
https://fedorahosted.org/freeipa/ticket/5902
db5969
db5969
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
db5969
---
db5969
 ipaserver/install/ca.py                        |  6 +++++-
db5969
 ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
db5969
 2 files changed, 27 insertions(+), 3 deletions(-)
db5969
db5969
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
db5969
index b4db8dcbfad9d482e7106cd06b3d497ccf8954f0..aa3fe991bd958c59dc369f41d4bd6fdfceee9370 100644
db5969
--- a/ipaserver/install/ca.py
db5969
+++ b/ipaserver/install/ca.py
db5969
@@ -191,7 +191,11 @@ def install_step_1(standalone, replica_config, options):
db5969
         ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
db5969
 
db5969
     # We need to ldap_enable the CA now that DS is up and running
db5969
-    ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
db5969
+    if replica_config is None:
db5969
+        config = ['caRenewalMaster']
db5969
+    else:
db5969
+        config = []
db5969
+    ca.ldap_enable('CA', host_name, dm_password, basedn, config)
db5969
 
db5969
     # This is done within stopped_service context, which restarts CA
db5969
     ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
db5969
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
db5969
index dae976f02dc7f963736ca57344345135dbc1fe3b..c0c655c912a6b02da11d0feb333716f7653768ed 100644
db5969
--- a/ipaserver/install/plugins/ca_renewal_master.py
db5969
+++ b/ipaserver/install/plugins/ca_renewal_master.py
db5969
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
db5969
         ldap = self.api.Backend.ldap2
db5969
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
db5969
                      self.api.env.basedn)
db5969
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
db5969
         filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
db5969
         try:
db5969
             entries = ldap.get_entries(base_dn=base_dn, filter=filter,
db5969
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
db5969
             pass
db5969
         else:
db5969
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
db5969
-            return False, []
db5969
+
db5969
+            master = False
db5969
+            updates = []
db5969
+
db5969
+            for entry in entries:
db5969
+                if entry.dn == dn:
db5969
+                    master = True
db5969
+                    continue
db5969
+
db5969
+                updates.append({
db5969
+                    'dn': entry.dn,
db5969
+                    'updates': [
db5969
+                        dict(action='remove', attr='ipaConfigString',
db5969
+                             value='caRenewalMaster')
db5969
+                    ],
db5969
+                })
db5969
+
db5969
+            if master:
db5969
+                return False, updates
db5969
+            else:
db5969
+                return False, []
db5969
 
db5969
         criteria = {
db5969
             'cert-database': paths.HTTPD_ALIAS_DIR,
db5969
@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater):
db5969
                     "assuming local CA is renewal slave", config)
db5969
                 return (False, False, [])
db5969
 
db5969
-        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
db5969
         update = {
db5969
                 'dn': dn,
db5969
                 'updates': [
db5969
-- 
db5969
2.5.5
db5969